Copenhagen-based programmer Radu Dragusin recently discovered that almost 100,000 user names and plain text passwords for members of the IEEE were made available on the organization’s FTP server for at least a month.
“IEEE suffered a data breach which I discovered on September 18,” Dragusin wrote in a Slashdot post. “For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places.”
“The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it),” Dragusin wrote in a separate analysis.
“While it’s too early to fully assess the severity of the data breach, which impacts both ieee.org and spectrum.ieee.org, Dragusin states that the available information exposes these users’ activity on these sites,” writes Nextgov.com’s Leandro Oliva. “Malicious parties interested in identifying users could conceivably be assisted in mounting spear phishing attacks on these users, and potentially come up with social engineering exploits.”
“This is not IEEE’s first breach involving members’ information,” DataBreaches.net reports. “A November 2010 hack affecting 828 members was disclosed in February 2011. And in April 2011, some members who signed up for life insurance underwritten by NY Life Insurance were notified that a mailing error by Marsh U.S. Consumer exposed some of their information to other members.”